4 steps to making your website GDPR compliant
Whilst GDPR legislation appears complex, making your website compliant is actually pretty straightforward unless you are doing something a little exotic in terms of data gathering and processing.
In this guide, we will outline 4 basic steps to making sure your website complies with GDPR, hopefully helping you relax and get on with business as usual.
Step 1 - review your website
Review Data captured on website,
Review all the ways you gather data on the website such as forms, surveys, user accounts etc. This may also include ways in which you personalise a user journey through a website. Remember your CMS may also be writing cookies for its own functional requirements, so make sure you check what cookies your website writes and how this may be used on return visits.
Make sure forms have appropriate notification for what you will do with this captured data and the user consents to this, making a proactive action to agree. Lookout for any pre-checked boxes. And do not forget to ensure this is appropriately stored.
Review any tracking/analytics tools
Review what tools you are using to analyse the website such as Google Analytics, Web trends etc, and make sure these are GDPR compliant.
Remember that just because you are not doing anything creepy, third party tools may be tracking individual user data, so you need to make sure you understand what they are doing and that they are GDPR compliant.
Check if you are you doing any individualised tracking, if so you need to inform the user about this and get their consent. Considering this point, we would strongly recommend anonymising any analytics to ensure you are compliant.
Review any third party services used on your website -
We have already talked about analytics software such as Google Analytics, however you may have other third party services/solutions which track the user. These would include items such as Chat services such as Purechat, Social media sharing buttons, PDF viewers, Re-marketing solutions, Call tracking services etc.
These need to be reviewed and evaluated to check they are GDPR compliant , making sure you understand what they are doing so you can inform the user in the GDPR site policy as well as identifying whether you need to get consent as well.
Step 2 - inform people of what you are doing or going to do...
Get permissions for gathering data
If you are gathering data, then you need to make sure the user has agreed to this.
In practice, if someone is filling out a form, then they are making a proactive action to send something to you, however if you intend to do anything with this data such as adding them to a mailing list, then you will need to inform them of this intention and get their consent in a an active manner.
If you are gathering other data in a less direct manner, then you will certainly need to inform the user before you do this. An example of this could be, a remarketing service that combines visitor data gathered across multiple websites, creating profiles for targeted communications/advertising on other websites.
Note - Remember this is about individual tracking, so services that identify what company the visitor works for using DNS lookups are theoretically OK as they have not identified an individual.
An area we were initially concerned about was server logs and web-analytics, which obviously gathers personal data (the users IP address). We have concluded that as long as this is being gathered/processed to ensure the website functions correctly (can be debugged in the event of an error) then this is a legitimate reason to gather the data. You will therefore not need to seek consent as long as you are not personalising this data and using it to individually asses the user for other purposes.
Update your T&C’s providing notification
Make sure you have a GDPR section on your site such as in your T&C’s or ideally in a privacy policy.
Ultimately you need to tell them what data you are gathering and what you are going to do with it. Items to include would be things like:
- Server Logs
- Analytics software
- Social media sharing buttons
- Chat systems etc
- Data gather by forms
- User accounts
- and obviously anything spooky
Here it is not enough to just tell them what you are gathering, but you also need to inform them what you will do with this data once gathered - how you are going to process it, share it etc.
You also need to provide details (with contact information) about who your Data Officer is, so an individual can engage with them to make any data requests.
3 - Develop a GDPR policy
You need to have a GDPR policy so you can have effective governance around peoples data, as well as effective processes and procedures.
Just developing this helps to establish the issues you face, ensuring you can mitigate them. Topics to include would be:
What happens in regards to a breach - You need to define your process to responding to a breach such as evaluating the risks posed to individuals, how and when you will contact them to inform them of the breach.
How do you respond to a request for data - If someone asks for their data, how do you gather and package this for them, how do you transmit it, and what is reasonable to provide?
Request to deletion of data - People have the right to be removed from your database, so how will you respond to this, what are your procedures for removing this and what data might you have to retain for regulatory reasons (staff records, purchase history etc)
How do you track changes - Whilst you may be compliant, things change and your website evolves, so how do you ensure you have not broken your GDPR compliance and introduced something that puts you in breach.
There will be other aspects to your GDPR policy, but this is a good start for the web aspect.
4 - Finally secure your website
Obviously the entire point of GDPR is to ensure you protect the users data and privacy. With this in mind you must also keep their data secure as poor security is not an excuse and could put you in breach, resulting in fines. Carphone Warehouse and TalkTalk were both heavily fined for sloppy security.
Some key points to consider here:
- Know what data you are gathering and where you store it.
- Assess how this can be accessed and tighten any weaknesses or vulnerabilities.
- Remember to check how this is transmitted and backed up as this is an additional attack vector.
- Only gather and store what you need, so you reduce your risks and ultimately liabilities.
In the event of a breach, remember that the reason to inform someone about a breach is so they can mitigate any risk or damage. If for example you forward an email to the wrong person with someone's personal details such as address, date of birth, mother maiden name, then this could be used nefariously and they must be informed immediately. If however the contents of the mail was simply “was lovely to talk last week, must catch up again’ then whilst this is personal data, you do not need to inform them of this breach as the risk or damage is minimal.
To conclude
If you have followed these steps then you (your website) should be in pretty good shape for being GDPR compliant.
As you can see this is all pretty straightforward and logical. Whilst the full 250 page directive is scary as shit to read and make senses of, when you boil it down it is all good common sense policy to ensuring an individuals privacy. To keep things simple it may be worth remembering Google's original statement of “do no harm”, which is a good place to start ensuring you have not over stepped an individuals privacy.
In your GDPR journey you will come across a few key terms:
- Personal data - this means, anything that is unique to an individual and can be related to them (name, email IP address etc).
- Processing - This means reviewing, looking at, analysing the gathered personal data in any way.
- Data Controller - The individual/organisation that owns the data. In the context of a website, the website owner/operator.
- Data Processor - Anyone working with or on behalf of the data Controller such as a web agency or service
- Legitimate Reason - this gives you a framework for gathering/processing data for functional reasons that cause no harm to the individual.